Kaspersky Lab has taken out a US patent for an advanced technology that detects unauthorized modifications of data. Unsanctioned modification of data, regardless of whether it is intentional or accidental, results in data distortion and loss.
Unauthorized modification of software code can lead to program execution errors. It is a well-known fact that most malicious programs inject their code into executable files, leading to the execution of malicious code when the infected files are run. Ensuring data integrity is therefore a major IT security issue.
File integrity can be ensured by using such technologies as hashing, digital signatures and tracking the most recent modifications made to a file. However, the first two methods are too resource-intensive to be used for ensuring the integrity of all the files on a computer system, while the standard implementation of the latter method is unreliable: many of today’s malicious programs are capable of altering time stamps to conceal any trace of file modification.
Standard integrity control methods either consume too many system resources or can occasionally miss infected files, leading to further distribution of malicious programs.
The advanced technology developed by Kaspersky Lab’s Mikhail Pavlyushik is free of these shortcomings. It checks file integrity reliably and quickly, without significant resource consumption. Patent No. 7 526 516 was issued for the technology by the US Patent and Trademark Office on 28 April, 2009.
The technology is based on the interception of application requests to change timestamps for one or more files. Such requests are tracked for each file and stored in a database. This information is then provided to a special module (usually a component of the antivirus program) which compares the timestamp update counter with the relevant timestamp. Changes to the timestamp update counter which are not accompanied by the relevant changes to the timestamp indicate file modification and possible infection. The antivirus program can then scan the file for malicious code or display an alert.
The method and its software implementation that has been patented by Kaspersky Lab provide quick and reliable tracking of file modifications, triggering antivirus scans to prevent execution of malicious code.